Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2700656imm; Wed, 3 Oct 2018 07:56:52 -0700 (PDT) X-Google-Smtp-Source: ACcGV60BxCVrLmlopSIoa8RlhBhiPNUzfaRBdirVXsFTd2gj9ZHcJQuCXFqpa766XPS22GLTvKvm X-Received: by 2002:a17:902:6a2:: with SMTP id 31-v6mr1962988plh.1.1538578612709; Wed, 03 Oct 2018 07:56:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538578612; cv=none; d=google.com; s=arc-20160816; b=LtGvLzTklVACcKwLkLnwzudQum5dEafa5MuoUgL/ZB9ka2RnPWIQUfyGUe513vzsWC YVXTpzk1B3wFlWr04q1wqP1Q4G0CUmxTRV44pFX06WbluKigPNE6B35QsG0OTNC2BdFX jDAMKU/B0obBI2KGTxG3NTFpUHxViTI27EeE+Memy3xISZgexeuHN6a11LtVXMqz3NjP Ybfe7WYiZ7uB+yn7JizUiT/dEiOHMHP2q3Kjx/y1mnmdahthKZ91ZnUT2fMU+Pyer94a AxCahv8IDYn+Ny2M6h2TrIuSGm7QHms3CnZK8TwOT+ZpU2OTcFYGtlAb9l2uTnJ9qBuR solw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ir/KwklJg7X4IpzAsOBvcocAb+RbekAk4pHcK6Giabc=; b=sfctnHrntNpO4mcAdhsj0V/RVVvzlJFWwhNyf8ub4CPUPeos6CWXTvkIDARmN4Jgjc nQNvgMcsfLrPpNyZf9+SsxcOuGNKCu+y3eljWB97o4MfXhXpE6I2MgJEzN9/G+P/xEkk AkZ6IOpW+1w7iIm2vdM0ZM2toYl0rrFsaE05ODZRk3BhDvxkiwb+RWZMB6OkDbp4eKhW 0K3sxQiRMXei6w8tku58kytmIoE1S9DIg9CouI82o58+zcKcZEV+LBiYKxq6v/KJRVmF MM1lLqp9hfC7ZMwEp2p72/diwLL4uHpbYohUgQAwJqka1LUC3xvKz2+abvfNAYygcnqn fqUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=gZhAdD7s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x16-v6si1452713pgh.41.2018.10.03.07.56.37; Wed, 03 Oct 2018 07:56:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=gZhAdD7s; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727180AbeJCVnz (ORCPT + 99 others); Wed, 3 Oct 2018 17:43:55 -0400 Received: from mta-p1.oit.umn.edu ([134.84.196.201]:38444 "EHLO mta-p1.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726748AbeJCVnz (ORCPT ); Wed, 3 Oct 2018 17:43:55 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p1.oit.umn.edu (Postfix) with ESMTP id 5E9DA1D9 for ; Wed, 3 Oct 2018 14:55:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:in-reply-to:references:mime-version:received:received :received; s=20160920; t=1538578510; x=1540392911; bh=IlJLfzKa9j r+ORaiaIegYdmgXRrDqSUsQqHshUKxjwo=; b=gZhAdD7sNqJ+epjjTwXNtmVEzU 8w/GKpwlKqO/WkFWbvXggbQBm+7rbds4L/g92P7nYKHurOlB/E5nHe82UG2DMPPY OutEBFrYzxT8xLuS4b9iqEhdPaEJZ1diz8yc3j5nj4GoLrxJ2x0M6DJBIfFlzmcy EtSwWYRopaR6Hof+lqdmn0phymn0zQdhhpYKIwtqay2WQyf208BCjlrKI6s/tCiK 2jHpB9itafhbv81t2MDGroZNRe9zgS9wegS68B4MsVsU5i4wyBfJSBGTXwpk3iPu Kl03jUEV23+w/Mm61FvufhR+rxwpkTpG9IpnkvNw7+qCemmG71igg+3YbIrg== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p1.oit.umn.edu ([127.0.0.1]) by localhost (mta-p1.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0XKcDyR0t-g for ; Wed, 3 Oct 2018 09:55:10 -0500 (CDT) Received: from mail-it1-f172.google.com (mail-it1-f172.google.com [209.85.166.172]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p1.oit.umn.edu (Postfix) with ESMTPSA id 383121D6 for ; Wed, 3 Oct 2018 09:55:10 -0500 (CDT) Received: by mail-it1-f172.google.com with SMTP id p64-v6so9310580itp.0 for ; Wed, 03 Oct 2018 07:55:10 -0700 (PDT) X-Gm-Message-State: ABuFfogDx8L4gWcgPGcRprOpFAZAcmH7QBJMyW6JzxZ04oQlQtulv8Te MyIkli/AWnSfokrZetKDrM0qRJx7V6xiV2XiAtw= X-Received: by 2002:a24:9005:: with SMTP id x5-v6mr1600039itd.76.1538578509987; Wed, 03 Oct 2018 07:55:09 -0700 (PDT) MIME-Version: 1.0 References: <1538542259-11868-1-git-send-email-wang6495@umn.edu> <87h8i379af.fsf@ashishki-desk.ger.corp.intel.com> In-Reply-To: <87h8i379af.fsf@ashishki-desk.ger.corp.intel.com> From: Wenwen Wang Date: Wed, 3 Oct 2018 09:54:34 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] stm class: fix a missing-check bug To: alexander.shishkin@linux.intel.com Cc: Kangjie Lu , open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 3, 2018 at 2:57 AM Alexander Shishkin wrote: > > Wenwen Wang writes: > > > In stm_char_policy_set_ioctl(), the 'size' field of the struct > > 'stp_polic_id' is firstly copied from the user space and then checked, > > because the length of the 'id' field in this struct, which represents an > > identification string, is not fixed. If the 'size' field cannot pass the > > check, an error code EINVAL will be returned. However, after the check, the > > whole struct is copied again from the user space. Given that the user data > > resides in the user space, a malicious user-space process can race to > > change the size between the two copies. By doing so, the attacker can > > bypass the check on the 'size' field and inject malicious data. > > How? The id->size is not used for anything. > > And even if there was a problem, this: > > > - if (copy_from_user(id, arg, size)) { > > + if (copy_from_user(&id->master, (char __user *)arg + sizeof(size), > > + size - sizeof(size))) { > > is completely pointless. Given that id->size is not used, it should not be copied from the user space. This code is used to remove such redundant copy. > > > ret = -EFAULT; > > goto err_free; > > } > > > > + id->size = size; > > So, if we did use id->size after the copying, we'd indeed have this line > in the code. But since we don't, it's also pointless, so it's not there. > > Thanks, > -- > Alex